[00:18.650 --> 00:24.970]  Hello everyone, AfterPacket here. We have another great speaker for you today.
[00:25.130 --> 00:32.430]  We have Alan with FireNameVirus with a spreadsheet and we're very excited to
[00:32.430 --> 00:37.030]  have him. And with that, I will let Alan take it away. Thank you.
[00:39.780 --> 00:46.020]  Yeah, I'm Alan Baranov. I'm from Melbourne, Australia. Today I'll be taking you through
[00:46.360 --> 00:53.120]  a real life story that happened to me. Mostly real life. Names and places have been changed
[00:53.120 --> 01:00.380]  to protect the innocent. What we'll do is we'll start at the successful end and we'll rewind
[01:01.020 --> 01:07.440]  a couple of months back to see exactly what steps were taken by me and my team to ensure
[01:07.440 --> 01:14.100]  that everything worked out okay. Yeah, whole thing will be done in Excel because that's
[01:14.100 --> 01:23.300]  what we're on about. A bit about me. So I started off as a technical person about 20 years ago.
[01:23.420 --> 01:32.220]  Worked my way through firewalls and other kind of technical security controls and am now a GIC
[01:32.220 --> 01:37.840]  consultant. So yeah, that's where I am and who knows where the future will be. If you want to
[01:37.840 --> 01:47.420]  reach out to me, I'm A. Baranov or Alan Baranov on most social media. And yeah, let's take it away.
[01:48.140 --> 01:54.480]  All right. So on this slide, one of my friends who works in a Blue Team environment said
[01:54.480 --> 01:58.480]  I must definitely put a warning here because some of the stuff that we were about to talk about
[01:58.480 --> 02:07.020]  can be quite scary for Blue Teamers. So yeah, Tuesday, the 27th of June, 2017.
[02:09.580 --> 02:17.660]  I arrive into work and yeah, my boss Trevor was waiting for me. He was sipping on a milkshake,
[02:17.660 --> 02:22.820]  which was a bad sign for me because when he does that, that means it's going to be an interesting
[02:22.820 --> 02:31.480]  day. And he said that he just wanted to get in before the big people came to speak to me. So
[02:31.480 --> 02:36.280]  essentially the CIO and what they called the security board came in and said that they wanted
[02:36.280 --> 02:42.260]  to speak to me. I'm like, okay, I'm not sure what's going on, but okay. They took me into a
[02:42.260 --> 02:48.900]  meeting and they told me that there was something called MS17-010 and that it had been used. We
[02:48.900 --> 02:54.980]  didn't know what it was called just yet, but now it's got a name called NotPetya. It had taken
[02:54.980 --> 03:00.200]  down many of the Australian businesses and businesses around the world like Maersk and Merck
[03:00.200 --> 03:05.800]  and they were worried about our infrastructure. And they were worried that we were going to be
[03:05.800 --> 03:12.880]  brought down. And so could I actually get involved and help them out with that? So, yeah,
[03:12.880 --> 03:24.340]  that's all good. And so what actually happened in that was I went back to them and I said,
[03:24.340 --> 03:30.140]  listen, we've got no problems because we're fully patched. And they were like, they didn't believe
[03:30.140 --> 03:34.960]  me. And I said, okay, that's fine. No problem. I've got all the information in spreadsheets. I
[03:34.960 --> 03:41.600]  can show you how we've tracked the patching that we've done over time. And they were a bit
[03:41.600 --> 03:45.040]  impressed, but they're also a bit disappointed because I think they actually wanted to put up
[03:45.160 --> 03:52.780]  a bit of a fight against this piece of malware. But anyway, we were successful. And so now I want
[03:52.780 --> 03:58.240]  to take you back through a bit of the history before this as to how we got to this point,
[03:58.240 --> 04:03.560]  and I could actually say, yep, all good. That virus is not going to come anywhere close to us.
[04:04.140 --> 04:12.140]  All right. So, yeah, while I was working there, my manager, he came out with this idea that he
[04:12.140 --> 04:20.460]  wanted big monitors and he wanted us to look like NASA. And, well, yes, we had Pew Pew maps and all
[04:20.460 --> 04:27.780]  of that on there, but he also wanted to put some other information up there. And so, yeah, he got
[04:27.780 --> 04:34.380]  me to do that. And I actually coined the phrase security through big monitors. And I Googled this
[04:34.380 --> 04:41.960]  and there were no search results that came out for that. So, basically, I think I invented the term.
[04:41.960 --> 04:48.480]  So, if anyone wants to use it, you're welcome. You just need to pay me royalties. So, the first
[04:48.480 --> 04:53.240]  thing I decided that we'll do is put up some traffic lights. Because any time you have a
[04:53.240 --> 05:00.240]  manager and they want information, traffic light, all the things, of course. Because bosses like to
[05:00.240 --> 05:09.040]  be given pretty pictures to look at. So, what we did, yep, we came out and did a graph where we
[05:09.040 --> 05:14.640]  took all the patches, all the servers, sorry, all the patches, divided them by all the servers and,
[05:14.640 --> 05:21.460]  of course, got a lovely diagram. Some months we had more than 90% of patches applied. Some months
[05:21.460 --> 05:31.620]  we had less than that. And so, we tracked against the stats there. And, of course, because we're
[05:31.620 --> 05:36.700]  using traffic lights, you always want to make sure that you're in the yellow. Just basically because
[05:36.700 --> 05:40.260]  if you're in the red, that means you're not doing your job. And if you're in the green, it means
[05:40.260 --> 05:49.020]  that you've got way too much budget. So, that's... you've got to keep it in the yellow. Which is a
[05:49.020 --> 05:53.840]  what you're looking at now. If Microsoft release a lot of patches, you'll probably go into the
[05:53.840 --> 05:58.120]  yellow. If they don't release a lot of patches, you'll go into the green. If they release a lot,
[05:58.260 --> 06:03.760]  a lot of patches, then you might hit the red. So, you're tracking Microsoft and that doesn't really
[06:03.760 --> 06:09.140]  help you. It doesn't give you any direction of where to go. But some of the stuff that we were
[06:09.140 --> 06:14.960]  looking at at this time to try and improve the whole process is, is it really the total number
[06:14.960 --> 06:20.240]  of patches? Did we get them all right? Is it improved patches? Are there other servers that
[06:20.240 --> 06:28.620]  we could be looking at, et cetera? So, that was that. And then the other thing that... so, then
[06:28.620 --> 06:32.600]  what I did was I thought, okay, well, let's enhance it. Let's see if we can actually dig
[06:32.600 --> 06:38.900]  into the information a bit deeper. So, you'll see I've taken this kind of list of computers,
[06:38.900 --> 06:46.040]  total patches, installed patches. All in all, we came out 93.6%. Which is good. Which is great.
[06:46.040 --> 06:49.700]  Which gets us in the green. But if you have a look at the actual computers themselves,
[06:50.840 --> 06:55.660]  you'll see that there's some issues here. So, some of them are below what we're supposed to be
[06:55.660 --> 07:04.460]  having. Some of them are good. Most of them are good. But this one you'll see even is 76.5%. That
[07:04.460 --> 07:10.760]  may or never have received any patches in the lifetime of that server at all.
[07:13.700 --> 07:19.820]  So, it's good to do that. Because, of course, it gives us direction. Let me just go back to that
[07:19.820 --> 07:25.060]  one. So, it gives us direction as to where to go. So, we can see... oh, hang on. Most of these are
[07:25.060 --> 07:30.620]  okay. We can just leave them. They seem to be updating. Everything's fine. The two that aren't,
[07:30.620 --> 07:36.540]  we can fix that out. That might be just one month that just didn't quite work out properly. Maybe
[07:36.540 --> 07:43.060]  they just need to be rebooted. Who knows? So, you can sort those. And then the one that is getting
[07:43.060 --> 07:49.180]  no patches at all, that's the one where you're gonna want to concentrate and get everything
[07:49.180 --> 07:57.700]  sorted out. Yeah. So, I mean, I can talk about an hour on each one of these kind of slides.
[07:58.560 --> 08:05.140]  But unfortunately, I can't. But if anyone wants to catch me on the Discord, yeah, I'm available
[08:05.140 --> 08:10.940]  there. Or if you want to drop me a tweet, whatever, we can talk further. But essentially, the reason
[08:10.940 --> 08:16.240]  why I put this in here is, you know, once you've sorted out stuff, if you see that stuff is
[08:16.240 --> 08:23.720]  recurring, then you can do... you can check against it and see why it's happening and just keep on
[08:23.720 --> 08:28.480]  working through it. And over time, what you'll find is that you're actually improving. And that's
[08:28.580 --> 08:32.520]  a good thing. So, you're no longer tracking whether Microsoft has released too many patches
[08:32.520 --> 08:37.700]  for you to patch or not. What you're actually tracking now is how well are you doing and how
[08:37.700 --> 08:50.800]  well are you getting patched? Okay. So, what I just wanted to point out at this point is that
[08:51.780 --> 08:59.940]  a many-many-two relationship is actually a very difficult thing to get right. And we have
[08:59.940 --> 09:04.280]  one in this particular case. So, what we're looking at here is we have multiple servers,
[09:04.280 --> 09:09.980]  we have multiple patches. And if you have a case like that, then you need to start working out
[09:09.980 --> 09:16.860]  because it's too much information to try and work with all at once. So, you kind of summarize
[09:16.860 --> 09:21.900]  it down to, okay, how many servers do we have? Okay. These are the servers. Okay. And then,
[09:21.900 --> 09:27.540]  what patches are there? But you can get more interesting information once you start looking
[09:27.540 --> 09:33.680]  at the patches. So, you can have a look at whether they're a high, medium, or low-risk patch. And
[09:33.680 --> 09:37.660]  maybe you have different rules for each of those. So, now you're starting to get into
[09:38.660 --> 09:45.280]  understanding the information at an even higher level. And also, you can start looking at the
[09:45.280 --> 09:51.840]  actual ages of the patches. So, what you might do is you might say, okay, well, we haven't actually
[09:53.080 --> 09:57.180]  patched these patches here, but we're not expecting to because they only came out this month and we
[09:57.180 --> 10:01.600]  just haven't had time to test them. We haven't had time to apply them. And they're not critical
[10:01.600 --> 10:07.060]  that we need to do it immediately. So, that's okay that they haven't been patched. All good.
[10:08.180 --> 10:14.220]  You might have some that are one month out. And that's a problem because they haven't gone through.
[10:14.220 --> 10:17.660]  But at least you know that. And the next time you patch, okay, well, then that's fine. We'll
[10:17.660 --> 10:24.240]  patch them that time. You might then have a process... you might have it where the process has failed
[10:25.000 --> 10:30.280]  twice. And now you're going to have a bit of a problem. Why is your process not working? That's
[10:30.380 --> 10:35.520]  a bit of an issue. And then, of course, if it fails three times, then hang on a sec. Okay, now we have
[10:35.660 --> 10:39.400]  a huge issue. Because we've looked at it three times and we still haven't been able to work it
[10:39.400 --> 10:44.900]  out. Hopefully something is being worked out to get that sorted eventually.
[10:47.360 --> 10:53.060]  And now that you have that information, you have meaningful information that you can graph.
[10:53.080 --> 10:58.160]  And you can go back to doing the red, the yellow, and the green like a Ghana flag.
[10:58.500 --> 11:02.440]  And it actually means something. Because what you can say is, like, hang on a sec,
[11:02.440 --> 11:07.300]  where you see red is where our processes are failing. And we can actually start to work on
[11:07.300 --> 11:17.110]  that. And you can bring that down over time. All right. But wait.
[11:19.090 --> 11:23.070]  What about MS17010 from the beginning of our discussion?
[11:25.870 --> 11:32.010]  So what we were doing before this point was we were actually trying to patch all the different
[11:32.010 --> 11:36.390]  servers over time. We weren't looking at the patches, really. We were just looking at the
[11:36.390 --> 11:44.490]  servers and trying to patch server by server. And now, all of a sudden, you have this really bad
[11:46.630 --> 11:56.050]  vulnerability. It can be remotely attacked. And, yeah, it's just a very, very bad
[11:56.790 --> 12:02.690]  vulnerability. It came out bad. And then, of course, one of the things that Joshua
[12:02.690 --> 12:11.370]  Coleman came out with is something called H.D. Moore's Law, which is... it's basically a pun on
[12:11.370 --> 12:20.630]  Moore's Law. And essentially, what it is, is as virus... well, as vulnerabilities get easier and
[12:20.630 --> 12:26.850]  easier to exploit, they become more and more dangerous. And so what happened with this one
[12:26.850 --> 12:34.130]  is it slowly... I noticed that exploits were being built, theoretical exploits and real
[12:34.130 --> 12:40.210]  exploits and metasploits. And then I saw that and I thought, oh, okay, this thing is going to
[12:40.210 --> 12:53.220]  become a worm in the not-too-distant future. So going back into this slide here, as I said,
[12:53.220 --> 12:58.000]  many-to-many relationships are not good because they bring in complexity. But
[12:59.660 --> 13:03.460]  sometimes they are good because now we can actually pivot and we can say, okay, well,
[13:03.460 --> 13:08.920]  we were looking at servers and how many patches we had running on the different servers. Now,
[13:08.920 --> 13:13.180]  we can actually go back and we can say, okay, well, now let's look at this one single patch
[13:13.180 --> 13:25.610]  and how many servers have this patch installed on it. And so if we work out that information,
[13:25.610 --> 13:32.110]  we can see, okay, well, these servers, A, B, C, D, E, G, A, N, H, have the patch installed.
[13:32.350 --> 13:37.610]  And then these three computers have the patch missing. Now, remember, we're also using...
[13:38.530 --> 13:42.970]  so the reason why we've got so many computers that actually have it patched is because we're
[13:42.970 --> 13:48.430]  going through the computers and we will attack the critical patches while we're doing it. And
[13:48.430 --> 13:53.250]  also at the same time, we were looking for computers that were missing. So we actually
[13:53.250 --> 13:59.030]  managed to get all the computers and got them mostly patched. And then, hang on, these three,
[13:59.030 --> 14:03.470]  for some reason, just don't have this one single patch. And it could be that they're
[14:03.470 --> 14:08.110]  new computers. They just haven't had patches applied at all ever. And so therefore, boom,
[14:08.110 --> 14:14.350]  we can just basically apply the patch. And so that's what we did. And that's why we were
[14:14.350 --> 14:20.530]  successful. So essentially, we built the information over time and got to this point.
[14:20.530 --> 14:27.790]  And then we managed to flip it and managed to change our processes.
[14:28.050 --> 14:31.550]  So there's a couple of takeaways. Well, there's more than a couple of takeaways. There's a few
[14:31.550 --> 14:37.570]  takeaways that I'd like to show you here. Number one, get information. There's always information
[14:37.570 --> 14:43.030]  out there. The information I got directly from the Microsoft guys, they just basically pulled
[14:43.030 --> 14:49.410]  it out and sent it my way. Raw information, stick it into Excel. And then number two,
[14:49.410 --> 14:55.370]  play with it, manipulate it, move it around, experiment, keep changing it. It's low risk.
[14:55.370 --> 15:01.090]  You have no issue with playing around with information. It's all in your spreadsheet.
[15:01.090 --> 15:06.030]  It's all good. Number three, use it to improve things. Try and say, okay, well, hang on a sec,
[15:06.030 --> 15:12.770]  our processes need to be improved or not. Do we know or don't we know? And then, of course,
[15:13.690 --> 15:16.770]  get the information that will tell you exactly what you need to know,
[15:16.770 --> 15:23.390]  whether your processes are working or not. Always ask why. Don't just fix stuff. Work out,
[15:23.390 --> 15:27.830]  why was it broken in the first place? Because if it happens again, you'll know and you'll be able
[15:27.830 --> 15:36.710]  to fix it up. Also, just note that you don't need expensive tools. We have Excel. And that's all I
[15:36.710 --> 15:44.970]  used. So, basically, that was... I didn't have to go out and buy anything, any special tools or
[15:44.970 --> 15:50.390]  anything. I had it already. All I needed was the information and some of my time to get it working.
[15:51.530 --> 15:59.510]  WSSZ Excel was free. Yeah. Okay. Yeah. So, doing security right is hard. There's no easy wins.
[15:59.730 --> 16:06.270]  So, it looks easy from what I've shown you here. But there was a lot of hard work behind the scenes.
[16:06.290 --> 16:12.510]  Once I got the information in place, sitting with the IT team and getting them to patch and repatch
[16:12.510 --> 16:19.810]  and get it right and research and find out what was going wrong, there was a lot of work. The
[16:19.810 --> 16:29.010]  one thing that I could point out at this point now is that having that extra good information
[16:29.010 --> 16:34.970]  that I could give to them made them more excited about the job that they were doing. It wasn't me
[16:34.970 --> 16:38.630]  just coming as a security person and saying, listen, you need to patch your servers because
[16:38.630 --> 16:43.250]  patching servers is a good thing to do. It was me coming to them and saying, hey,
[16:43.250 --> 16:49.410]  this computer, it doesn't seem to be working, doesn't seem to be getting its patches. Can you
[16:49.410 --> 16:54.630]  work out why that is? And then they come back to me and say, listen, this is the story and we can
[16:54.630 --> 17:00.970]  actually sort it out and fix it. So, that's what comes out of having the information. It makes life
[17:01.090 --> 17:10.250]  a lot easier for you and for your IT team. And, yeah, as I said, work with your teams.
[17:12.070 --> 17:17.710]  Yeah, you can say, okay, well, if you're asking why, can you help them? A lot of times they would
[17:17.710 --> 17:22.270]  come back to me and say, listen, I have no idea why this isn't working. And we dig in the history
[17:22.270 --> 17:27.530]  and we can see, okay, well, it patches sometimes, sometimes not. There must be something strange
[17:27.530 --> 17:32.310]  with that box. Or it's never been patched before. And then you can work out stuff like maybe there's
[17:32.410 --> 17:39.250]  a firewall in the way, et cetera, et cetera. Keep digging deeper. So, as I showed you,
[17:39.250 --> 17:43.230]  the first things we were monitoring were just like the total number of patches across everything
[17:43.230 --> 17:49.270]  and divided by the total number of computers. And it didn't really tell us very much. It didn't
[17:49.270 --> 17:56.270]  give us a good, deep amount of information that we could work with. And usually that information's
[17:56.270 --> 18:01.490]  there. You're just not looking at it. So, always keep getting more information. And don't be scared
[18:01.490 --> 18:07.090]  to get information from two different places. Like, for instance, what I was saying earlier is
[18:07.700 --> 18:14.810]  you want to... we had all the computers that we knew about. But when I found some other lists
[18:14.810 --> 18:18.650]  of computers, those were different. And then the question is, well, why are they different?
[18:19.170 --> 18:27.050]  And then that helps you to actually get a more... a bigger understanding of your total...
[18:27.850 --> 18:33.490]  the total issue that you need to deal with. And number 10, don't be scared to change your
[18:33.490 --> 18:39.830]  process. So, we had a good process. We were getting... we were making leeway against what
[18:39.830 --> 18:45.350]  we had to do. So... sorry, making headway against what we were trying to do. So, we were getting
[18:45.350 --> 18:49.650]  our servers patched. And we were getting more servers patched. And the lines were coming down
[18:49.650 --> 18:54.890]  because less and less critical patches were missing. Less and less non-critical patches
[18:54.890 --> 18:59.330]  were missing. But then when all of a sudden I saw that there was one patch that was really,
[18:59.330 --> 19:02.990]  really important that we really needed to get out of the way,
[19:02.990 --> 19:07.750]  changed everything. Okay. This is the one. This is what we need to sort out first. Everything else
[19:07.750 --> 19:14.650]  needs to take... we'll get to that. We'll get to it eventually. But this is what we need to
[19:14.650 --> 19:23.010]  get right now. And, yeah, next steps. So, if you're interested in this, the next step for you
[19:23.010 --> 19:29.510]  would be get your information. Go find where you can get it from. Get CSVs. Get some JSON. Get text.
[19:30.150 --> 19:36.230]  And convert it. Put it all into Excel. Start fiddling with it. Learn how to join the sources
[19:36.230 --> 19:41.790]  together. Learn how to use pivot tables. Learn how to use graphs. And play. And play and play
[19:41.790 --> 19:49.650]  until you get the information that you need. Just, yeah. You're a hacker. So, use your hacking
[19:49.650 --> 19:59.730]  ability to work with Excel. And that's pretty much it. Just a shout out to my Baranoff clan
[20:00.550 --> 20:10.530]  and to the DEF CON group of Melbourne. Hey, guys. Also to the Australian B-Sides team.
[20:10.530 --> 20:18.030]  B-Sides Melbourne. And, yeah, to all of you that are there taking your time out to watch this
[20:18.030 --> 20:23.270]  presentation, thank you very much for that. And thank you very much to the DEF CON team and to
[20:23.270 --> 20:32.710]  the Blue Team Village for having me. It's a great honor to be able to speak in this forum. And,
[20:32.710 --> 20:37.050]  yeah, if there's anyone that does have any questions, I'm not sure. There might be a bit
[20:37.050 --> 20:45.310]  of time left. Alternatively, just find me in other DEF CON, the DEF CON Discord or alternatively
[20:45.310 --> 20:49.990]  in the Blue Team Village Discord. And, yeah, I'll answer any questions that you have.
[20:50.250 --> 20:56.750]  Thank you very much. Awesome. Thank you for the wonderful presentation, Alan. As always,
[20:56.750 --> 21:04.230]  we suggest that you join the Blue Team Village Discord and direct your questions to
[21:05.310 --> 21:12.810]  texttalktrack1. Okay, I will do for sure. The presenter will take a look and be able to answer
[21:12.810 --> 21:20.410]  your questions. And other than that, I appreciate that and thank you again. Thank you.
